It has been reported that flaws discovered in a GPS device used in fleet management could allow attackers to remotely disrupt operations and surveil vehicle movements, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and security firm BitSight warned Tuesday.
The full story can be found here: https://therecord.media/unpatched-flaws-in-popular-gps-devices-could-let-hackers-disrupt-and-track-vehicles/
“The Lesson – Choose your vendor wisely – Shenzhen, China based MiDOCUS has in place a fundamentally insecure communication architecture that relied on a centralized control of all these devices from a single IP address/website, making the entire system susceptible to simple man-in-the-middle, denial of service and authentication bypass attacks. In addition, they used unencrypted http and an unencrypted proprietary protocol to facilitate all communication with the GPS unit. They even made it so easy that SMS messages could control any GPS unit. They allow for the reprogramming of the unit’s API server IP address allowing any attacker the ability to monitor and control the GPS tracker from anyone/anywhere. Russia, Morocco and Chile are suspected to be the top three countries where these devices are present. But the more shocking revelation is the list of types of organizations using this technology worldwide including several fortune 50 companies, Governments and militaries. The company has not responded to the researchers or CISA’s attempts to get a remediation plan. And the researchers recommend disabling this unit until a fix can be produced. In my opinion, based on this architecture and the need to reprogram the onboard devices this fix will take a long time to be produced, if ever. Onboard vehicle system isolation (aka network segmentation) of critical systems with proper security controls would prevent such catastrophic impact.”
“Modern cars are essentially data centres on wheels, with over 30 different electronic boards that control them. This research demonstrates the possible impact just one insecure device can have on the entire vehicle. It also emphasises the need for setting permission levels and mitigations in the internal vehicle network, as well as the connection between the car and the outside world. While vulnerabilities are always a concern, a proper firewall or anomaly detection engine with oversight of car communications systems can add some line of defence, as they can detect the exploitation of these types of vulnerabilities.”